To start using the Multi-Factor Authentication function with Incisive inCLOUD, you need to:

1. Provide us with a unique email address for each login to Incisive inCLOUD and indicate whether you want to authenticate using an app on your phone or use a hardware fob
   If you haven't already completed this step, you can use the template in this link to help you list your requirements, then send it back to us.
   
   
2. An email will be sent to the email addresses, from wgcloud-no-reply@jpn.cloud.watchguard.com, with information on how to install and Activate the Watchguard Authpoint app.  The app needs to be activated on your phone within 7 days of receiving the email.  The activation process can occur from your computer or the app on your phone.
   
   If you are using a Watchguard fob to generate the Passcode, you do not need to install anything on your phone or complete any activation process.  You can ignore the email from @watchguard.com.
   
   
3. Change the 'Incisive inCLOUD' shortcut on your laptop/workstation to connect to secure.incloud.clinic instead of the current incisive.incloud.clinic
   You will need to delete the existing icon/shortcut.
   
   Instructions on creating a connection to secure.incloud.clinic on Incisive inCLOUD:

• • on a Windows computer
  • on an Apple Mac or iPad

If you need assistance to change the shortcut icon, please email a request to help@incisivesupport.com with some times that it would be suitable for you.

Short tutorial videos showing how to use the Authentication options are available from this Knowledgebase article

Incisive inCLOUD is including another layer of security, to protect your information even further.

New servers have been added to the computing farm, which are configured to require ‘Multi-Factor Authentication’ (MFA or 2FA) to allow a remote connection to be established. This does mean there is an additional step in the process to log on, but it is a very effective barrier to unwanted cyber-intruders.

All new users of Incisive inCLOUD are using the MFA system and we are also requiring all existing customers to also upgrade the method they use to connect.

The authentication levels used to secure the Incisive inCLOUD system are:

1. inCLOUD network connection using your usual login e.g. incloud\mypractice01
2. Passcode input, generated from the Authpoint app or hardware fob (new step)
3. Incisive application login

In addition, only connections from New Zealand based IP addresses (your router’s internet address) are permitted, without needing to use a separate VPN connection.

The passcode is generated either from an app on your phone or a special hardware generator. These create a one-time passcode which you input during the connection process. This method of Multi-Factor Authentication is now used in all public hospitals, after the malware attack on the Waikato DHB last year.

There are several key reasons we have chosen to include MFA:

• CertNZ recommends MFA/2FA protection as an important security step;
• the Privacy Act requires health agencies to take ‘reasonable security safeguards’ to protect health information;
• the National Cyber Security Centre’s advisory for the increased threat of targeted cyber intrusion because of military actions between Ukraine and Russia.

Frequently asked questions.

What will change for us?

1. The icon that you use to connect to the Incisive inCLOUD will need to be modified so it points to the new system (secure.incloud.clinic instead of incisive.incloud.clinic).  This needs to occur on each computer that connects to Incisive inCLOUD.
2. You will need the Watchguard Authpoint app installed on a mobile phone or have a hardware passcode generator, so that you can use either, each time you connect to the Incisive inCLOUD.

How does the MFA work?

During the process to connect to Incisive inCLOUD, a screen will appear prompting whether you want to use the 'Push' or 'One-Time-Passcode' option. If the Push option is used a notification will appear, which can be 'Approved', or if the Passcode option is used, the number can be entered from either the Authpoint app or Hardware token generator. The Incisive application will then continue to start.

See the Multi Factor Authentication (MFA) training videos.

What happens if I don't have my phone?

We recommend that you have access to both the Watchguard passcode generator and also the Authpoint app, so there are alternative methods of generating the passcode. If neither are available, there is a ‘Forgot Token’ option where we need to be involved to allow access for a limited time.

The Incisive inTOUCH mobile app can also be used to access your clinic or operating lists and view the patient’s records.

We are a large practice/hospital and different staff frequently use the same computer.

There is no change with how you currently use Incisive inCLOUD except that the first person who logs on will need to enter a Passcode from either the Authpoint app or the Watchguard passcode generator.

Is each staff member going to need the Authpoint app on their phone?

The Passcode that is generated is linked to an individual Incisive inCLOUD login. This means that for each login there will need to be either a specific hardware passcode generator or an Authpoint app token. It is possible (but not very practical) to have the Authpoint app on a single ‘Practice’ based phone, which has the ability to remotely ‘Approve’ a connection or issue a One-Time Passcode (OTP) for multiple logins.

If the user is accessing Incisive inCLOUD from different locations (such as the specialist) then they should always use the Authpoint app on their own phone.

Are there charges?

The MFA technology is provided through an internationally respected company which does charge for its products and services. There will be changes to our fees to cover their costs and the hardware token generator can be purchased separately. Given the severe disruption that can occur from cyber-attacks, security costs are now regarded as an expected overhead of doing business.

Everyone using Incisive inCLOUD will need to upgrade to the same level of high security.

I use an Apple Mac. Do I need to use MFA?

Yes.

Is the change going to disrupt the running of our practice/hospital?

All the preparation can be completed in the background while you continue to use the existing connection method. When you are ready to start using MFA, you just start using a different shortcut icon. Everything will continue to function as it is now. The connection process will take slightly longer.

When is the change going to occur and what do we need to do?

The process to migrate existing Incisive inCLOUD users to use secure.incisive.incloud, has already started. We will shortly be inviting you to be involved as we expect that everyone will be migrated before the end of the year. We will work with you to ensure the timing works well for you.

You will need to:

• decide how many Watchguard hardware fobs you want;
• download and install the Watchguard Authpoint app, for the mobile users; and
• provide an email address for each connection.

What are the options if I don't want to use MFA?

Because the database that you use for your records, is the same for any Windows operating system, we can remove your records from the Incisive inCLOUD system so you can have them on your own on-site server.

Are any other security changes going to occur?

The Windows tsclient link to your computer’s drives will eventually be disabled and is replaced with the ‘Incisive Files’ drive that has been provided to assist with easy upload and download of files/photos to and from the Incisive inCLOUD system. This allows us to virus-scan the files being uploaded and close another possible intrusion point from your computer.

The operating system for the servers is being upgraded to Windows Server 2022, which has significant improvements in the detection and protection against malware attempts.

Is MFA going to make my information completely secure?

As I'm sure you have experienced, the cyber-security requirements are in a state of constant change. Protection is almost always a patching exercise to cover the holes that have previously been exposed by those wanting to get to your information or use you as a spring-board into someone else’s system.

100% protection would mean that the Incisive inCLOUD system would have to be so locked down that remote access from your own computers or devices, would be virtually impossible to use and very expensive to implement. To provide a system that is workable for you, there is always a degree of compromise between accessibility and protection. Which is why we have backups and fail-over functions.

If you have any questions please get in touch with us at help@incisivesupport.com 

As a method of improving the security of the Incisive inCLOUD system, an additional layer of protection has been included during the connection process, which requires the end-user to authenticate the connection from their mobile phone.

The authentication process involves an app, called Authpoint, installed on the phone, which can be used to either:

• Push an approval notification, or; 
• Provide a One-Time Passcode that can be manually entered during the Incisive inCLOUD connection process.

Training videos are available to step you through how to configure the Authpoint app and also the options to authenticate the connection.

• Installing and configuring the Authpoint app (53 seconds)
• Authenticating using the Push notification (62 seconds)
• Authenticating by entering a Passcode (62 seconds)

See the Incisive inCLOUD MFA Advisory for information on the system and Frequently Asked Questions

You can add 'alias' email accounts to Gmail and Office mailboxes, without them costing anything.  The incoming emails, addressed to the alias accounts, will all appear in the main mailbox account.

The MFA function for Incisive inCLOUD requires a unique email address for each inCLOUD account and if you don't have individual practice emails or you don't want to use a personal email, you can easily create additional alias accounts.

Google Gmail

Send emails from a different address or alias - Gmail Help (google.com)

How to set up Gmail or Google Workspace (G Suite) aliases – cloudHQ Support

Microsoft Office

Add another email alias for a user - Microsoft 365 admin | Microsoft Docs

Incisive recommend that if you are hosted in the inCLOUD.clinic system or you have your own Terminal Server (Remote Desktop) environment, you should be using TSPrint or TSScan to get an optimal experience.

You will need to install the TSPrint Client and TSScan Client applications on the local workstation/laptops so that they perform correctly.

The installation process is very simple and no additional licensing is required.

Instructions to install and configure TSPrint for SPM & PHM applications

The TSPrint guide from Terminal Works is available:

Windows -  https://www.terminalworks.com/remote-desktop-printing/downloads/documentation/TSPrintGuide.pdf

Mac - https://www.cloudwalks.com/uploads/2/6/6/5/26654030/printing_guide_for_mac.pdf (this is a bit old)

Configure TSScan for Windows

The TSScan install file is downloaded from https://www.terminalworks.com/downloads/tsscan/TSScan_client.exe 

After installing, go to TerminalWorks > TSScan Client Settings in the Windows Start menu and select your default scanner

Configure TSPrint for a Mac

The TSPrint install file is downloaded from this site:

https://www.terminalworks.com/downloads/tsprint/macosx/TSPrintClient.zip 

After installing the app, check the inCLOUD → Mac printer mappings are correct.  If not, delete then choose the correct printer when printing the next time.

Delete any that are incorrect or obsolete

Print from SPM and choose the correct printer when the prompt appears.

Configure TSScan for Mac

Scanning from an Apple Mac Book

Instructions for connecting a workstation or device to the Incisive inCLOUD network

Step 1.  Create a RemoteApp connection to the Incisive inCLOUD servers.

• from a Windows workstation
• from an Apple Macbook or iPad tablet

Step 2. Download and install TSPrint & TSscan client applications to your workstation/device to improve your printing & scanning experience.

• Installing TSPrint and TSScan client applications

Step 3. (optional) Link to the 'Incisive Files' online storage location to make it easier to upload/download information.

• For Windows
  • Request the script from the Incisive Helpdesk 
  • Open 'Windows Powershell' on your PC (Windows) and paste the contents of the script into Powershell
  • Press Enter to execute the command.  Close the window when it has completed)
    (you should now see am 'Incisive Files P:' in Windows Explorer)
• For Apple, request assistance from the Incisive Helpdesk

Apple do not recognise or use TWAIN drivers to interact with scanners that are used with their Mac Book computers, so it takes a few more steps to get the scanning options configured and also to complete the scanning workflow.

A short tutorial video displaying the workflow sequence to scan a document, is available from this location

Configuration

1. Install the ICA driver for the scanner on the Mac.  Test by using the Apple 'Image Capture' app.
   If the driver doesn't install check that you have sufficient permissions.
   If there is no ICA driver then the following steps will not work and you will have to scan the documents separately then attach, using the Message Centre feature.
2. Install (or update) the latest TSscan client app (for MacOS) on the computer that is connected to the scanner (https://terminalworks.com).
   1. Open the app (Finder > Applications) and select 'Options'.  Then check ON the 'Redirected folder' option.